Two ways to call it
The Management API supports two use cases, and most endpoints work with either:- System-to-system — a back-end integration authenticates with credentials and calls the API with no human in the loop (for example, provisioning identities or bulk operations).
- Operator sign-in — a person signs in (with 2FA) and acts through an admin tool; the operator role and permission claims on their token authorise each call (details).
What you can do
Provision an identity
Create an identity and its application for your program with
POST /identity.Issuing cards for your users
End-to-end: create a user, onboard them, issue and fund a card.
Operator authentication
Sign in, roles, and permission claims.
Search
Find applications, accounts, transactions, cards, payments, charges — with CSV export.
Reports
Async report generation: transactions, customers, fees, MT940, and more.
Payment approvals
Review held payments and approve or reject them in bulk.
Acting on a customer
Accounts, payments, beneficiaries, and batches on a customer’s behalf
(PCI / Compliance-approved workflows only).
Card operations
Issue, block/unblock, and limits.
Fees
Read the fee catalog and generate fee documents.
Access management
Operators, software users, customer invites, and access grants.
Webhooks
Events Orenda pushes to you, and signature verification.
Conventions
- Base URL:
https://api.next.orenda.finance— the same gateway as the customer API; what makes a call administrative is the operator role and permission claims on the token. - Send
Authorization: Bearer <access_token>andx-program-idon every call (x-sandbox: truefor the test environment). - Endpoint authorisation is claim-based (e.g.
transactions.view,payments.create,reports.view) — each page notes what’s required.